Install and Configure an Open Source Identity Server Lab

(1)

ww w.novell.com No vell T raining Services

AT T L I V E 2 0 1 2 L A S V E G A S

Install and Configure an Open Source

Identity Server

Lab

S U S 0 5 / S U S 0 6

(2)

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/)

and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc.

404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A.

www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http:// www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist.html).

Third-Party Materials

(3)

Section 1 Configure an Open Source Identity Server...11

Exercise 1.1 Configure an NTP Server on the LDAP Servers...12

Task I: Configure the NTP Server on DS1...12

Task II: Configure the NTP Server on DS2...12

Exercise 1.2 Configure csync2 for the CA/LDAP/Kerberos Servers (Optional)...14

Task I: Configure csync2...14

Exercise 1.3 Configure a Certificate Authority with YaST...16

Task I: Create a Root CA...16

Task II: Replicate the Root CA to another Server...17

Exercise 1.4 Generate a Common Server Certificate with YaST...18

Task I: Generate a Server Certificate...18

Task II: Set a Certificate as the Common Server Certificate...19

Task III: Replicate the Changes to the CA to another Server...19

Exercise 1.5 Generate an SSL Server Certificate for the 2nd LDAP Server (Optional)...20

Task II: Replicate the Changes to the CA to the other Server...21

Task III: Set a Certificate as the Common Server Certificate...21

Exercise 1.6 Create a Synchronized Exported Key Store...23

Task I: Create a Synchronized Exported Key Store...23

Task II: Replicate the Changes to the CA to another Server...23

Exercise 1.7 Configure an OpenLDAP Master Server...24

Task I: Configure the LDAP Server...24

Task II: Configure the LDAP Client on the LDAP Server...25

Task III: Browse the LDAP Database...26

Exercise 1.8 Configure an OpenLDAP Slave Server (Optional)...27

Task I: Configure the LDAP Slave Server...27

Task II: Configure the LDAP Client on the LDAP Server...27

Task III: Browse the LDAP Database...28

Exercise 1.9 Configure a Multi-master LDAP Replication (Optional)...29

Task I: Configure LDAP Multi-master Database Replication...29

Exercise 1.10 Configure a Kerberos Server with a LDAP Back End...31

Task I: Configure LDAP to Store the Kerberos Database...31

Task II: Configure a Kerberos Server...31

Exercise 1.11 Configure a Secondary Kerberos with a LDAP Back End (Optional)...33

Task I: Configure LDAP to Store the Kerberos Database...33

Task II: Configure a Kerberos Server...33

Task III: Configure the Kerberos Client...34

Section 2 Configure a LDAP Client...37

Exercise 2.1 Generate an SSL Server Certificate for Another Server...38

(4)

Task II: Export the Server Certificate in PKCS12 Format...39

Task III: Export the Server Certificate in PEM Format...39

Task IV: Copy the Cert and Key Files to the Other Server...40

Task V: Replicate the Changes to the CA to another Server...40

Exercise 2.2 Import a Common Server Certificate for a Server...42

Exercise 2.3 Create LDAP Groups and Users...43

Task I: Create LDAP Groups...43

Task II: Create LDAP Users...43

Exercise 2.4 Configure an LDAP Client with YaST...45

Task I: Configure an LDAP Client...45

Section 3 Configure a Kerberos Client...47

Exercise 3.1 Configure an NTP Client...48

Task I: Configure the NTP Clients...48

Exercise 3.2 Create LDAP Group and Users for Kerberos...49

Task I: Create an LDAP Group for Kerberos Users...49

Task II: Create LDAP Users for Kerberos...49

Exercise 3.3 Create Kerberos User Principals...51

Task I: Create Kerberos User Principals...51

Exercise 3.4 Configure a Kerberos Client with YaST...52

Task I: Configure the Kerberos Client...52

Exercise 3.5 Configure pam to Use Both Kerberos and LDAP...53

Option I: Configure pam with pam-config...53

Option II: Edit the pam Configuration Files...53

Section 4 Configure SSH to Use Kerberos...55

Exercise 4.1 Generate Host Principals and Keytabs for the Kerberos Servers...56

Task I: Create the Kerberos Host Principals...56

Task II: Generate the Kerberos Keytabs...56

Exercise 4.2 Generate Host Principals and Keytabs for a SSH Server...58

Task I: Generate the Kerberos Host Principal...58

Task II: Generate the Kerberos Keytabs...58

Task III: Copy the Keytab to the SSH Server...58

Exercise 4.3 Configure a SSH on the Kerberos Server to Use Kerberos Authentication...60

Task I: Configure the SSH Daemon for Kerberos...60

Task II: Test SSH Kerberos Authentication...60

Exercise 4.4 Configure SSH to Use Kerberos Authentication...61

Task I: Configure the SSH Daemon for Kerberos...61

Section 5 Configure NFSv4...63

Exercise 5.1 Configure an NTP Client on the NFS Server...64

Task I: Configure the NTP Clients...64

Exercise 5.2 Generate an SSL Server Certificate for Another Server...65

(5)

Task IV: Copy the Cert and Key Files to the Other Server...67

Task V: Replicate the Changes to the CA to another Server...67

Exercise 5.3 Import a Common Server Certificate for a Server...69

Exercise 5.4 Configure an LDAP Client with YaST...70

Task I: Configure an LDAP Client...70

Exercise 5.5 Configure a Kerberos Client with YaST...72

Task I: Configure the Kerberos Client...72

Exercise 5.6 Configure pam to Use Both Kerberos and LDAP...73

Option I: Configure pam with pam-config...73

Option II: Edit the pam Configuration Files...73

Exercise 5.7 Generate a Host Principal and Keytab for a NFS Server...75

Task I: Generate the Kerberos Keytabs...75

Exercise 5.8 Configure SSH to Use Kerberos Authentication...77

Task I: Configure the SSH Daemon for Kerberos on the NFS Server...77

Exercise 5.9 Configure an NFSv4 Server with GSSAPI...78

Task I: Configure the NFS Server...78

Exercise 5.10 Configure an NFSv4 Client with GSSAPI Security...80

Task I: Configure an NFS Client for GSSAPI Security...80

Task II: Enable GSS Security for the NFS Client...81

Exercise 5.11 Export Home Directories with NFSv4 and GSSAPI Security...82

Task I: Export /home via NFSv4...82

Task II: Verify the Exported File System...83

(6)

List of Figures

Lab Network Environment...7

Machine Roles...7

Node1 Network Configuration...8

Storage1 Network Configuration...9

DS1 Network Configuration...10

(7)

(8)

(9)

(10)

(11)

Section 1 Configure an Open Source Identity Server

In this section you configure OpenSSL, OpenLDAP and Kerberos to create an identity server based on open source software.

(12)

1.1 Configure an NTP Server on the LDAP Servers

In this exercise, you use the YaST NTP module to configure an NTP server.

Objectives:

Task I: Configure the NTP Server on DS1 Task II: Configure the NTP Server on DS2

Special Instructions and Notes:

You may need to turn off or modify the firewall rules on the NTP server if its firewall is enabled.

NTP_SERVER_IP=_______________________

Task I: Configure the NTP Server on DS1

1. On the DS1 server, launch the NTP YaST module on the NTP server:

YaST > Network Services > NTP Configuration 2. Select Start NTP Daemon: Now and On Boot

Click Continue if a warning window appears

3. Ensure that Undisciplined Local Clock (Local) is listed 4. Highlight Undisciplined Local Clock(LOCAL) and click Edit

5. Click Driver Calibration

6. Change the Stratum to be 5

7. Click Next, then OK and then OK

8. Restart the NTP daemon on the NTP server by entering the following at the command line of that server:

killall ntpd rcntp restart

Task II: Configure the NTP Server on DS2

1. On the DS2 server, launch the NTP YaST module on the NTP server:

YaST > Network Services > NTP Configuration 2. Select Start NTP Daemon: Now and On Boot

3. Ensure that Undisciplined Local Clock (Local) is listed 4. Click Add and then Next

(13)

6. On the NTP Server screen enter the following values in the corresponding fields: Address: 172.17.2.16

Options: iburst

7. Click the Test button

If the test is unsuccessful, the NTP server on DS1 may not be finished starting. Wait a minute or two and try again.

When the test is successful, click OK

8. Click Next, then OK and then OK

9. Restart the NTP daemon on the NTP server by entering the following at the command line of that server:

killall ntpd rcntp restart

(14)

1.2 Configure csync2 for the CA/LDAP/Kerberos Servers

(Optional)

In this exercise you configure csync2 to keep the common certificate authority, LDAP and Kerberos configuration files in sync.

Objectives:

Task I: Configure csync2

The csync2 package must be installed for this exercise to be performed successfully. The csync2 package can be found in the SLE-HA Extension and on

http://software.opensuse.org

Task I: Configure csync2

1. On the first LDAP server (DS1) open a terminal window and if not already logged in as the root user enter su – to become root

2. Enter the following command to create the csync2 key for the CA/LDAP/Kerberos servers:

csync2 -k /etc/csync2/key_cagroup

3. In the text editor of your choice (as root) open the /etc/csync2/csync2.cfg file to be edited

4. Add the following to the end of the file:

group ca_group {

host ds1 ds2;

key /etc/csync2/key_cagroup; include /etc/csync2/csync2.cfg; include /var/lib/CAM; include /etc/ldap/ldap-pw; include /var/lib/kerberos/krb5kdc/.k5.SITE; include /var/lib/kerberos/krb5kdc/kadm5.keytab; }

5. Save the file and close the text editor

6. Enter the following command(s) to copy the initial file to the other LDAP server(s):

(15)

scp /etc/csync2/key_cagroup ds2:/etc/csync2/ scp /etc/csync2/csync2.cfg

7. Enter the following command to enable csync2:

chkconfig csync2 on insserv xinetd rcxinetd restart

8. Repeat the previous step on the other LDAP servers

9. On the first LDAP server (DS1) enter the following command(s) to perform the initial file synchronization:

csync2 -xv

(16)

1.3 Configure a Certificate Authority with YaST

In this exercise, you use the YaST CA Management module to configure an SSL certificate authority.

Objectives:

Task I: Create a Root CA

Task II: Replicate the Root CA to another Server

This is a special instruction needed to complete the exercise.

CA_NAME=_____________________________________________

CA_COMMON_NAME=___________________________________

CA_EMAIL=_____________________________________________

CA_PASSWD=___________________________________________

DS2_IP=________________________________________________

Task I: Create a Root CA

1. On the first LDAP server (DS1)Launch the YaST CA module:

YaST > Security and Users > CA Management 2. On the CA Selection screen click Create Root CA

3. Use the following values to fill in the fields on the Create Root CA (step 1/3) screen. If a value is not provided for a field, leave the default value in the field. CA Name = CA_NAME

Common Name = CA_COMMON_NAME

E-Mail Addresses = CA_EMAIL

TIP: For the e-mail address, enter the value in the field below the E-Mail addresses list and click Add

4. When the values have been entered, click Next

5. On the Create New Root CA (step 2/3) screen, fill in the fields using the following values:

Password = CA_PASSWD

Key Length (bit) = 2048

Valid Period (days) = 3650

7. On the Create New CA (step 3/3) screen, verify that all values are correct and then click Create

(17)

You should see your newly created CA in the CA Tree list on the CA Selection screen. If the YaST CA Management module is closed, launch it again. 8. To view the contents of the CA, select the CA from the CA Tree list and click

Enter CA

9. When prompted for the CA password, enter the CA password used above and click

OK

You should see information about your CA

Task II: Replicate the Root CA to another Server

1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands:

-If csync2 IS configured:

csync2 -xv

-If csycn2 is NOT configured:

rsync -a /var/lib/CAM/ root@DS2_IP:/var/lib/CAM/

When prompted, enter the root password

2. On the second LDAP server (DS2), verify that the CA directory was copied to /var/lib/CAM/

3. On the second LDAP server (DS2)Launch the YaST CA module: 4. YaST > Security and Users > CA Management

You should see the new CA listed her as well.

(18)

1.4 Generate a Common Server Certificate with YaST

In this exercise, you use the YaST CA Management module to generate an SSL server certificate. You then set that certificate as the common server certificate for the machine.

Objectives:

Task I: Generate a Server Certificate

Task II: Set a Certificate as the Common Server Certificate Task III: Replicate the Changes to the CA to another Server

A certificate Authority must be configured to perform this exercise.

CA_PASSWD=________________________________________

CRT_COMMON_NAME=_______________________________

CRT_EMAIL=_________________________________________

DS2_IP=______________________________________________

Task I: Generate a Server Certificate

1. On the first LDAP server (DS1),launch the YaST CA Management module:

YaST > Security and Users > CA Management 2. From the CA Tree list, select your CA and click Enter CA

3. When prompted for the CA password, enter CA_PASSWD

4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server

Certificate

6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field.

NOTE: The common name should be the fully qualified domain name that will be used to access the server.

Common Name = CRT_COMMON_NAME

E-Mail Addresses = CRT_EMAIL

TIP: For the e-mail address, enter the value in the field below the E-Mail Addresses list and click Add

8. On the Create New Server Certificate (step 2/3) screen, select the Use CA Password as Certificate Password check box

(19)

11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create

You should see the newly created server certificate in the certificates list and it should be listed as valid.

Task II: Set a Certificate as the Common Server Certificate

1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates

2. From the Export drop-down list, select Export as Common Server Certificate

3. When prompted for the Certificate password, enter CA_PASSWD and click OK

4. When the export confirmation window appears, click OK

5. To verify that the certificate was exported, open a terminal window and enter the following command:

ls -l /etc/ssl/servercerts/

You should see two files named servercert.pem and serverkey.pem. These are the files that were created when the certificate was exported as the common server certificate.

Task III: Replicate the Changes to the CA to another

Server

csync2 -xv

If csycn2 is NOT configured:

2. (Optional) On the DS2 server, verify that the CA updates were copied to /var/lib/CAM/

(20)

1.5 Generate an SSL Server Certificate for the 2nd LDAP

Server (Optional)

In this exercise, you use YaST to generate a server certificate for the 2nd LDAP server. You then import the certificate on the DS2 server as the common server certificate

Objectives:

Task II: Replicate the Changes to the CA to the other Server Task III: Set a Certificate as the Common Server Certificate

A Certificate Authority must be configured to perform this exercise.

CA_PASSWD=_________________________________________

DS2_FQDN=_____________________________________

• DS2_IP=______________________________________________

CRT_EMAIL=_________________________________________

Task I: Generate a Server Certificate

1. On the first LDAP server (DS1), launch the YaST CA Management module:

YaST > Security and Users > CA Management

If prompted for the root user's password, enter novell

2. From the CA Tree list, select your CA and click Enter CA

Certificate

Common Name = DS2_FQDN

(21)

Password as Certificate Password check box 9. Fill in the rest of the fields using the following values:

Task II: Replicate the Changes to the CA to the other

Server

1. On the DS1 server, while logged in as the root user, open as terminal window and enter one of the following commands:

csync2 -xv

2. (Optional) On the DS2 server, verify that the CA updates were copied to /var/lib/CAM/

Task III: Set a Certificate as the Common Server

Certificate

1. On the DS2 server, launch the YaST CA Management module:

YaST > Security and Users > CA Management

2. From the CA Tree list, select your CA and click Enter CA

4. On the Certificates tab of the Certificate Authority (CA) screen, select the ds2

certificate from the list of certificates

5. From the Export drop-down list, select Export as Common Server Certificate

6. When prompted for the Certificate password, enter CA_PASSWD and click OK

7. When the export confirmation window appears, click OK

8. To verify that the certificate was exported, open a terminal window and enter the following command:

(22)

ls -l /etc/ssl/servercerts/

You should see two files named servercert.pem and serverkey.pem. These are the files that were created when the certificate was exported as the common server certificate.

(23)

1.6 Create a Synchronized Exported Key Store

In this exercise, you create a directory to hold the exported certificates and keys that can be replicated to the other CA server.

Objectives:

Task I: Create a Synchronized Exported Key Store

Task II: Replicate the Changes to the CA to another Server

(none)

Task I: Create a Synchronized Exported Key Store

1. On the first CA server (DS1), enter the following command to create a directory to store exported server certificates:

mkdir -p /var/lib/serverkeys/

2. If you have not configured csync2, skip to the next task. If you have configured csync2, do the following

In the text editor of your choice, as the root user, open the /etc/csync2/csync2.cfg

file to be edited

3. Add the following to the end of the group ca_group section before its closing } :

include /var/lib/serverkeys;

Task II: Replicate the Changes to the CA to another Server

1. On the first CA server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands:

csync2 -xv

rsync -a /var/lib/serverkeys/ root@DS2_IP:/var/lib/

(24)

1.7 Configure an OpenLDAP Master Server

In this exercise, you use the YaST LDAP Server module to configure a Master LDAP server. You then use the YaST LDAP Client module to create the default objects in the directory and then use the YaST LDAP Browser to browse the LDAP database.

Objectives:

Task I: Configure the LDAP Server

Task II: Configure the LDAP Client on the LDAP Server Task III: Browse the LDAP Database

Use the following value(s) in this exercise:

BASE_DN=______________________________________

ADMIN_DN=____________________________________

ADMIN_DN_PASSWD=____________________________

Task I: Configure the LDAP Server

1. On the first LDAP server (DS1), launch the YaST LDAP Server module:

YaST > Network Services > LDAP Server

2. On the General Settings screen, under Start LDAP Server, select Yes. If the Open Port in Firewall check box is enabled, select it as well and click Next

3. On the Please Select Server Type screen, select This server can act as a master server in a replication setup and click Next

4. On the TLS Settings screen, under Basic Settings, ensure that all of the check boxed are selected and click Next

NOTE: If a common server certificate has not been generated, you will need to specify that paths to the CA certificate, sever certificate, and server key files. If these have not been generated you can click the Launch CA Management Module button and use YaST to generate these certificates.

5. On the Basic Database Settings screen, fill in the fields using the following values. If a value is not provided, leave the default value in the field:

Database Type: hdb

Base DN = BASE_DN

Administrator DN = ADMIN_DN

Append Base DN = (checked)

LDAP Administrator Password = ADMIN_DN_PASSWD

(25)

Use this database as the default … = (checked)

7. On the Replication Master setup screen, enter the following for the password and then click Next:

Password = linux

Prepare for MirrorMode replication = (unchecked)

Note: MirrorMode will optionally be configured in a later exercise.

8. On the LDAP Server Configuration Summary screen, verify that the values are correct and click Finish

9. Open a terminal window and if not already logged in as the root user, enter su –

to become root.

10. Enter the following commands to copy the kerberos schema files into the openLDAP schema directory:

cd /usr/share/doc/packages/krb5/ cp kerberos.* /etc/openldap/schema/

11. Launch the YaST LDAP Server module again: 12. In the left panes select Schema Files

13. In the right pane click Add,

select kerberos.schema and then click Open

14. Click Add again

select samba3.schema and then click Open

select dhcp.schema and then click Open

select dnszone.schema and then click Open

17. If this is the first LDAP server, make a list of the schema files listed here (the order doesn't matter):

_____________________________________________ _____________________________________________ _____________________________________________ 18. Click OK to close the YaST module

Task II: Configure the LDAP Client on the LDAP Server

1. On the first LDAP server, launch the YaST LDAP Client module:

YaST > Network Services > LDAP Client 2. Under User Authentication, select Use LDAP

(26)

3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter ds1

and click Fetch DN

4. In the pop-up window showing the available DNs, select the Base DN created above and click OK

5. Ensure that only the following check box(es) are selected:

Create Home Directory on Login

6. Click Advanced Configuration

7. Select the Administration Settings tab

8. In the Administrator DN field, enter ADMIN_DN and select the following check boxes:

Append Base DN

Create Default Configuration Objects Home Directories on This Machine

9. When the values have been entered, click OK

10. Back on the LDAP Client Configuration screen, click OK to finish

11. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK

12. Click OK to finish

Task III: Browse the LDAP Database

1. On the first LDAP server, launch YaST LDAP Browser module:

YaST > Network Services > LDAP Browser

2. On the pop-up window select/enter the following: LDAP Connections: Current LDAP Client settings

LDAP Server: 127.0.0.1

Administrator DN: ADMIN_DN

LDAP Server Password: ADMIN_DN_PASSWD

LDAP TLS: (checked)

3. In the left pane, select BASE_DN

You should see the currently configured objects in the directory

(27)

1.8 Configure an OpenLDAP Slave Server (Optional)

In this exercise, you use the YaST LDAP Server module to configure a LDAP slave server. You then use the YaST LDAP Browser module to view the objects in the directory.

Objectives:

Task I: Configure the LDAP Slave Server

Task II: Configure the LDAP Client on the LDAP Server Task III: Browse the LDAP Database

BASE_DN=______________________________________

ADMIN_DN=____________________________________

ADMIN_DN_PASSWD=____________________________

Task I: Configure the LDAP Slave Server

1. On the second LDAP server (DS2), launch the YaST LDAP Server module:

2. On the General Settings screen, under Start LDAP Server, select Yes. If the Open Port in Firewall check box is enabled, select it as well and click Next

3. On the Please Select Server Type screen, select This will be a replica (slave)server. ... and click Next

4. On the Slave server setup screen, enter/select the following values. Protocol: ldap

Provider Hostname = ds1

Port: 389

Administrator Password ... = ADMIN_DN_PASSWD

Note: On SLES11-SP2 you must also change the following value: CA Certificate = /var/lib/CAM/Site/cacert.pem

6. If you get a TLS error due to a self signed certificate, just clisk Continue

Task II: Configure the LDAP Client on the LDAP Server

1. On the second LDAP server (DS2), launch the YaST LDAP Client module:

(28)

3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter

127.0.0.1 and click Fetch DN

5. Ensure that only the following check boxe(s) are selected:

Append Base DN

Home Directories on This Machine

12. Click OK to finish

Task III: Browse the LDAP Database

1. On the second LDAP server (DS2), launch YaST LDAP Browser module:

YaST > Network Services > LDAP Browser

2. On the pop-up window select/enter the following: LDAP Connections: Current LDAP Client settings

LDAP Server: 127.0.0.1

Administrator DN: ADMIN_DN

LDAP Server Password: ADMIN_DN_PASSWD

LDAP TLS: (checked)

3. In the left pane, select BASE_DN

You should see the currently configured objects in the directory

(29)

1.9 Configure a Multi-master LDAP Replication (Optional)

In this exercise, you configure two LDAP servers for multi-master database replication.

Objectives:

Task I: Configure LDAP Multi-master Database Replication

BASE_DN=______________________________________

Task I: Configure LDAP Multi-master Database

Replication

1. On the first LDAP server (DS1), enter the following command to retrieve the syncrepl user credentials:

ldapsearch -Y external -H ldapi:/// -b cn=config | grep credentials

Record the value in credentials”*******” here:

SYNCREPL_CREDS=_________________________________

2. In the text editor of your choice, create and open the /tmp/add_MM.ldif file to be edited

3. Enter the following in the file:

dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://ds1 olcServerID: 2 ldap://ds2

dn: olcDatabase={1}hdb,cn=config changetype: modify

replace: olcSyncRepl

olcSyncRepl: rid=2 provider=”ldap://ds1”

searchbase=”dc=site” type=”refreshAndPersist” retry=”120 +” starttls=critical tls_reqcert=demand

(30)

bindmethod=”simple”

binddn=”uid=syncrepl,ou=system,BASE_DN”

credentials=”SYNCREPL_CREDS”

olcSyncRepl: rid=4 provider=”ldap://ds2”

searchbase=”dc=site” type=”refreshAndPersist” retry=”120 +” starttls=critical tls_reqcert=demand bindmethod=”simple”

binddn=”uid=syncrepl,ou=system,BASE_DN”

credentials=”SYNCREPL_CREDS”

dn: olcDatabase={1}hdb,cn=config changetype: modify

add: olcMirrorMode olcMirrorMode: TRUE

5. Enter the following command to update the LDAP sever configuration with the new LDIF file (as one command with no line breaks):

ldapmodify -v -Y external -H ldapi:/// -f /tmp/add_MM.ldif

6. Enter the following command to verify that it worked:

ldapsearch -LLL -Y external -H ldapi:/// -b cn=config olcDataBase=*

Look for the section beginning with olcDataBase={1}hdb,cn=config. You should see olcMirrorMode: TRUE

(31)

1.10 Configure a Kerberos Server with a LDAP Back End

In this exercise, you use the YaST Kerberos Server module to configure a Kerberos KDC that uses LDAP as the back-end database.

Objectives:

Task I: Configure LDAP to Store the Kerberos Database Task II: Configure a Kerberos Server

An LDAP server must be configured before performing the exercise. The kerberos.ldif and kerberos.schema files must be copied from the

/usr/share/doc/packages/krb5/ directory into the/etc/openldap/schema/ directory before performing this exercise

KRB5_REALM=__________________________________

KRB5_PASSWD=_________________________________

BASE_DN=______________________________________

ADMIN_DN=____________________________________

ADMIN_DN_PASSWD=___________________________

Task I: Configure LDAP to Store the Kerberos Database

1. On the DS1 server, launch the YaST LDAP Server module:

2. In the left pane, select Schema Files

3. Verify that the kerberos schema is listed. If not, Click Add, browse to and select

/etc/openldal/schema/kerberos.schema, and then click Open

4. Click OK to close the LDAP Server YaST module

Task II: Configure a Kerberos Server

1. Launch the YaST Kerberos Server module:

YaST > Network Services > Kerberos Server

2. On the Select the Database Back-End screen, select Use Existing LDAP server as database back-end and click Next

3. On the Basic Kerberos Settings, screen, fill in the fields using the following values: Realm = KRB5_REALM

(32)

Password = KRB5_PASSWD

4. If the Open Port in Firewall check box is enabled, select it 5. When all of the values have been entered, click Next

6. Under LDAP Settings use the following values to fill the fields. If a value is not provided, leave the default value in the field.

LDAP Server URI = ldap://127.0.0.1

LDAP base DN = BASE_DN

KDC_Bind DN = ADMIN_DN,BASE_DN

Kadmin Bind DN = ADMIN_DN,BASE_DN

(all password fields) = ADMIN_DN_PASSWD

7. When the values are entered, click Next

(33)

1.11 Configure a Secondary Kerberos with a LDAP Back

End (Optional)

In this exercise, you use the YaST Kerberos Server module to configure a secondary Kerberos KDC that uses an LDAP as the back-end database.

Objectives:

Task I: Configure LDAP to Store the Kerberos Database Task II: Configure a Kerberos Server

Task III: Configure the Kerberos Client

An LDAP server must be configured before performing the exercise. The kerberos.ldif and kerberos.schema files must be copied from the

/usr/share/doc/packages/krb5/ directory into the/etc/openldap/schema/ directory before performing this exercise

KRB5_REALM=__________________________________ KRB5_PASSWD=_________________________________ BASE_DN=______________________________________ ADMIN_DN=____________________________________ ADMIN_DN_PASSWD=___________________________ DNS_DOMAIN=_________________________________ DS2_IP=________________________________________

Task I: Configure LDAP to Store the Kerberos Database

1. On the second LDAP server (DS2), launch the YaST LDAP Server module:

2. In the left pane, select Schema Files

3. Verify that the kerberos schema is listed. If not, Click Add, browse to and select

/etc/openldal/schema/kerberos.schema, and then click Open

4. Click OK to close the LDAP Server YaST module

Task II: Configure a Kerberos Server

1. Launch the YaST Kerberos Server module:

YaST > Network Services > Kerberos Server

2. On the Select the Database Back-End screen, select Use Existing LDAP server as database back-end and click Next

(34)

3. On the Basic Kerberos Settings, screen, fill in the fields using the following values: Realm = KRB5_REALM

Password = KRB5_PASSWD

4. If the Open Port in Firewall check box is enabled, select it 5. When all of the values have been entered, click Next

6. Under LDAP Settings use the following values to fill the fields. If a value is not provided, leave the default value in the field.

LDAP Server URI = ldap://127.0.0.1

LDAP base DN = BASE_DN

KDC_Bind DN = ADMIN_DN,BASE_DN

Kadmin Bind DN = ADMIN_DN,BASE_DN

(all password fields) = ADMIN_DN_PASSWD

7. When the values are entered, click Next

8. When you get an error (creating the Kerberos database (because the realm is already in LDAP)) click Cancel and then OK

If asked if you want change the configuration click No

9. Relaunch the Kerberos Server YaST module

10. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and then click OK

11. Select Enable Kerberos and then click Finish

12. Enter one of the following sets of commands on the second Kerberos server (DS2) to copy the missing files from the first Kerberos server (DS1):

csync2 -xv

-If csync2 is NOT configured:

cd /etc/openldap/

scp ds1:/etc/openldap/ldap-pw ./ cd /var/lib/kerberos/krb5kdc/

scp ds1:/var/lib/kerberos/krb5kdc/.k5.KRB5_REALM ./

scp ds1:/var/lib/kerberos/krb5kdc/kadm5.keytab ./

13. Enter the following command to start the Kerberos server:

rckrb5kdc start

Task III: Configure the Kerberos Client

1. Launch the YaST Kerberos Client module:

(35)

2. Select Use Kerberos

3. Under Basic Kerberos Settings, enter the following values in the fields. If a value is not provided, leave the default value in the field.

Default Domain = DNS_DOMAIN

Default Realm = KRB5_REALM

KDC Server Address = DS2_IP

4. Click Advanced Settings

5. On the Advanced Kerberos Client Configuration screen, on the PAM Settings tab, select Kerberos Support for OpenSSH Client and then click OK

6. Back on the Kerberos Client Configuration screen click OK

7. To verify the configuration, enter the following command at the command line:

less /etc/krb5.conf

You should see a section named KRB5_REALM that contains all of the Kerberos configuration from above.

(36)

(37)

Section 2 Configure a LDAP Client

(38)

2.1 Generate an SSL Server Certificate for Another Server

In this exercise, you use YaST to generate a server certificate for another server. You then export the certificate and key to a text file and then split the certificate and key into separate files.

Objectives:

Task II: Export the Server Certificate in PKCS12 Format Task III: Export the Server Certificate in PEM Format Task IV: Copy the Cert and Key Files to the Other Server Task V: Replicate the Changes to the CA to another Server

CA_PASSWD=_________________________________________ SERVER_FQDN=__________________________________ SERVER_IP=______________________________________ CRT_EMAIL=_________________________________________ CRT_FILENAME=_____________________________________ DS2_IP=______________________________________________

Task I: Generate a Server Certificate

1. On the first LDAP server (DS1), launch the YaST CA Management module:

YaST > Security and Users > CA Management 2. From the CA Tree list, select your CA and click Enter CA

Certificate

Common Name = SERVER_FQDN

(39)

8. On the Create New Server Certificate (step 2/3) screen, select the Use CA Password as Certificate Password check box

9. Fill in the rest of the fields using the following values: Key Length (bit) = 2048

Task II: Export the Server Certificate in PKCS12 Format

2. From the Export drop-down list, select Export to File

3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PKCS12 Format

4. In the Certificate Password field, type CA_PASSWD

5. In the New Password and Verify Password fields enter CA_PASSWD

6. In the File Name field, type /var/lib/serverkeys/SERVER_FQDN.p12

7. Click OK to export the certificate to a file

You should have a new text file named SERVER_FQDN.p12 in

/var/lib/serverkeys that contains both the certificate and the key.

Task III: Export the Server Certificate in PEM Format

2. From the Export drop-down list, select Export to File

3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PEM Format

4. In the Certificate Password field, type CA_PASSWD

5. In the File Name field, type /var/lib/serverkeys/CRT_FILENAME

6. Click OK to export the certificate to a file

You should have a new text file named CRT_FILENAME in /var/lib/serverkeys that contains both the certificate and the key.

(40)

7. Often applications want to have the certificate and key in deferent files. To do this, in the text editor of your choice, open the

/var/lib/serverkeys/CRT_FILENAME file.

8. Select the section of the file beginning with ---BEGIN CERTIFICATE--- and ending with ---END

CERTIFICATE---9. Copy this section and paste it into another empty file named

/var/lib/serverkeys/SERVER_FQDN.crt

10. Save the SERVER_FQDN.crt file

11. Select the section of the file beginning with ---BEGIN RSA PRIVATE KEY--- and ending with ---END RSA PRIVATE

KEY---12. Copy this section and paste it into another empty file named

/var/lib/serverkeys/SERVER_FQDN.key

13. Save the SERVER_FQDN.key file. 14. Close the text editor.

15. You should now have a file named CA_FILENAME that ends in a .pem extension that contains both the certificate and the key, a second file named

SERVER_FQDN.crt that contains only the certificate, and a third file named

SERVER_FQDN.key that contains only the key.

Task IV: Copy the Cert and Key Files to the Other Server

1. Copy the server cert and key to the other server:

scp /var/lib/serverkeys/SERVER_FQDN.*

root@SERVER_IP:/tmp/

2. Log into the other server as root and verify that the files were copied into /tmp/

Task V: Replicate the Changes to the CA to another

Server

csync2 -xv

rsync -a /var/lib/serverkeys/

root@DS2_IP:/var/lib/serverkeys/

(41)

(42)

2.2 Import a Common Server Certificate for a Server

In this exercise, you use YaST to import a common server certificate for a server.

Objectives:

CA_PASSWD=_________________________________________

SERVER_FQDN=__________________________________

Task I: Generate a Server Certificate

1. On the server, launch the YaST Common Server Certificate module:

YaST > Security and Users > Common Server Certificate 2. In the File Name field browse to or enter /tmp/SERVER_FQDN.p12

3. In the Password field enter CA_PASSWD and then click Next

4. On the Certificate Has Been Imported pop-up window, click OK

5. Back on the Common Server Certificate screen, click Finish

(43)

2.3 Create LDAP Groups and Users

In this exercise, you use the standard usradd/groupadd commands to create user and group accounts for the LDAP and Kerberos users in the LDAP directory. Because authentication will be handled by Kerberos for the Kerberos user, these users' passwords will be set to a non-valid password string in the LDAP directory. The LDAP users' passwords will be stored in the LDAP directory.

Objectives:

Task I: Create LDAP Groups Task II: Create LDAP Users

The LDAP server must be configured before performing this exercise.

ADMIN_DN=____________________________

BASE_DN=______________________________

Task I: Create LDAP Groups

1. On the first LDAP server (DS1), if not already logged in as the root user, open a terminal window and enter su – to become root.

2. Enter the following commands to create the required ldap group(s) in the LDAP directory.

groupadd --service ldap --binddn ADMIN_DN,BASE_DN \

-g 2000 ldapusers

3. To see that the group(s) were successfully created, enter the following command:

getent group

You should see the newly created group(s) in the list

Task II: Create LDAP Users

1. Enter the following commands to create the LDAP users.

useradd --service ldap --binddn ADMIN_DN,BASE_DN \

-m -d /home/ldapuser1 -g ldapusers -u 2001 ldapuser1

-m -d /home/ldapuser2 -g ldapusers -u 2002 ldapuser2 yast users edit type=ldap username=ldapuser1

(44)

yast users edit type=ldap username=ldapuser2

password=linux

2. To see that the user(s) were successfully created, enter the following command:

getent passwd

You should see the newly created user(s) in the list

(45)

2.4 Configure an LDAP Client with YaST

In this exercise, you use the YaST LDAP Client module to configure Linux to authenticate from an openLDAP server.

Objectives:

Task I: Configure an LDAP Client

This is a special instruction needed to complete the exercise.

• LDAP_SRVR_LIST=______________________________

BASE_DN=______________________________________

ADMIN_DN=____________________________________

ADMIN_DN_PASSWD=____________________________

Task I: Configure an LDAP Client

1. On Node1, launch the YaST LDAP Client module:

3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter

LDAP_SRVR_LIST and then click Fetch DN

Note: If you get an TLS error:

Click on Advanced Configuration and in the Certificate Directory enter:

/etc/ssl/certs

Click OK and then try clicking Fetch DN again

5. Ensure that only the following check boxes are selected:

LDAP TLS/SSL

Append Base DN

(46)

11. If prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK

12. (Optional) Log out and then try logging in with and LDAP user account

(47)

Section 3 Configure a Kerberos Client

(48)

3.1 Configure an NTP Client

In this exercise you use the YaST NTP module to configure an NTP client.

Objectives:

Task I: Configure the NTP Clients

You may need to turn off or modify the firewall rules on the NTP server if its firewall is enabled.

NTP_SERVER_IP=_______________________

Task I: Configure the NTP Clients

1. On Node1, launch the NTP YaST module on the NTP clients:

YaST > Network Services > NTP Configuration

2. Select Automatically Start NTP Daemon: During boot

3. Click Add, select Server as the type and then click Next

4. In the Address field, enter NTP_SERVER_IP and click Test

A window stating that “Server is reachable and responds properly.” should appear. Click OK to dismiss the window.

(If the server does not respond, don't worry at this point because we will set the clock manually.)

5. Click OK and then OK to finish

6. Ensure the clocks are in sync manually by running the following:

sntp -P no -r NTP_SERVER_IP

Note: Running the following command will display information about the local clock relative to all ntp sources and can aid in troubleshooting ntp related problems. (Ctrl+C terminates the command)

ntpq -p

(49)

3.2 Create LDAP Group and Users for Kerberos

In this exercise, you use the standard usradd/groupadd commands to create user and group accounts for the Kerberos users in the LDAP directory. Because authentication will be handled by Kerberos for the Kerberos user, these users' passwords will be set to a non-valid password string in the LDAP directory.

Objectives:

Task I: Create an LDAP Group for Kerberos Users Task II: Create LDAP Users for Kerberos

The LDAP server must be configured before performing this exercise.

ADMIN_DN=____________________________

BASE_DN=______________________________

Task I: Create an LDAP Group for Kerberos Users

1. On the first LDAP server (DS1), if not already logged in as the root user, open a terminal window and enter su – to become root.

2. Enter the following commands to create the required ldap group(s) in the LDAP directory.

groupadd --service ldap --binddn ADMIN_DN,BASE_DN \

-g 3000 krb5users

3. To see that the group(s) were successfully created, enter the following command:

getent group

You should see the newly created group(s) in the list

Task II: Create LDAP Users for Kerberos

1. On the first LDAP server (DS1), enter the following commands to create the Kerberos users.

-m -d /home/krb5user1 -p '!KRB5' \ -g krb5users -u 3001 krb5user1

-m -d /home/krb5user2 -p '!KRB5' \ -g krb5users -u 3002 krb5user2

(50)

2. To see that the user(s) were successfully created, enter the following command:

getent passwd

You should see the newly created user(s) in the list

(51)

3.3 Create Kerberos User Principals

In this exercise, you create user principals.

Objectives:

Task I: Create Kerberos User Principals

The Kerberos server must be configured before performing this exercise.

If you have more than one Kerberos server, you only need to do this on one of the servers

Task I: Create Kerberos User Principals

1. On the first LDAP server (DS1) open a terminal window and if not already logged in as the root user, enter su – to become root.

2. Enter the following commands to create user principals for the Kerberos users:

kadmin.local -q “addprinc -pw linux krb5user1” kadmin.local -q “addprinc -pw linux krb5user2”

3. Enter the following command to see that the user principals were created:

kadmin.local -q “listprincs”

You should see the newly added user principals in the list

(52)

3.4 Configure a Kerberos Client with YaST

In this exercise, you use the YaST Kerberos Client module to configure a Kerberos client.

Objectives:

Task I: Configure the Kerberos Client

A Kerberos server must be configured before performing the exercise. Use the following value(s) in this exercise:

KRB5_REALM=__________________________________

BASE_DN=______________________________________

DNS_DOMAIN=__________________________________

KRB5_SRVR_LIST=_______________________________

Task I: Configure the Kerberos Client

1. On Node1, launch the YaST Kerberos Client module:

YaST > Network Servicse > Kerberos Client 2. Select Use Kerberos

3. Under Basic Kerberos Settings, enter the following values in the fields. If a value is not provided, leave the default value in the field.

Default Domain = DNS_DOMAIN

Default Realm = KRB5_REALM

KDC Server Address = KRB5_SRVR_LIST

4. Click Advanced Settings

5. On the Advanced Kerberos Client Configuration screen, on the PAM Settings tab, select Kerberos Support for OpenSSH Client and then click OK

6. Back on the Kerberos Client Configuration screen click OK

7. To verify the configuration, enter the following command at the command line:

less /etc/krb5.conf

You should see a section named KRB5_REALM that contains all of the Kerberos configuration from above.

8. (Optional) Log out and then try logging in with and Kerberos user account

(53)

3.5 Configure pam to Use Both Kerberos and LDAP

In this exercise you edit the common-* pam configuration files to allow both Kerberos and LDAP authentication.

Objectives:

Option I: Configure pam with pam-config Option II: Edit the pam Configuration Files

(none)

Option I: Configure pam with pam-config

1. On Node1, log in as the root user and open a terminal window

2. Enter the following commands to view the current pam common-* files:

cat /etc/pam.d/common-{auth,password,session}

You should see the three files concatenated together on the screen (each file begins with #%PAM-1.0)

3. Enter the following command to add ldap as an authentication source:

pam-config --add --ldap

4. Enter the following command again to view the modified files:

cat /etc/pam.d/common-{auth,password,session}

Compare the previous output with the current to see the changes

5. Repeat this task on any other machines on which you wish to use both LDAP and Kerberos authentication

Option II: Edit the pam Configuration Files

WARNING: It is always a good idea to leave yourself logged in as the root user on some other terminal when editing and testing pam configuration!

1. On Node1, log in as the root user and in the text editor of you choice open the

/etc/pam.d/common-auth file to be edited: 2. Add the following line after the pam_krb5.so line:

auth sufficient pam_ldap.so use_first_pass

3. Save the file

(54)

5. Add the following line after the pam_krb5.so line:

password sufficient pam_ldap.so use_authtok nullok

6. Save the file

7. Open the /etc/pam.d/common-session file to be edited: 8. Add the following line after the pam_krb5.so line:

session optional pam_ldap.so

10. Repeat this task on any other machines on which you wish to use both LDAP and Kerberos authentication

(55)

Section 4 Configure SSH to Use Kerberos

(56)

4.1 Generate Host Principals and Keytabs for the

Kerberos Servers

In this exercise, you generate host principals and keytabs for the Kerberos servers.

Objectives:

Task I: Create the Kerberos Host Principals Task II: Generate the Kerberos Keytabs

(none)

Task I: Create the Kerberos Host Principals

In order to support Kerberos authentication using services such as SSH, Kerberos host and service principals must be generated for and stored in a keytab file on each machine.

1. Log into the first Kerberos server (DS1) as the root user and enter the following commands to create a host principal for the Kerberos servers:

kadmin.local -q “addprinc -randkey host/ds1”

kadmin.local -q “addprinc -randkey host/ds2”

Task II: Generate the Kerberos Keytabs

1. On the first Kerberos server (DS1), enter the following command to create a keytab file for the that server and add the host principals to that keytab:

kadmin.local -q “ktadd -k /etc/krb5.keytab host/ds1”

2. On the first Kerberos server (DS1) enter the following command to set the proper permissions on the copied keytab:

chmod 600 /etc/krb5.keytab

3. On the first Kerberos server (DS1) enter the following command to see that the host principal was added to the keytab:

echo -e “rkt /etc/krb5.keytab \n list” | ktutil

You should see the principal listed at least once in the list

4. Log into the second Kerberos server (DS2), enter the following command to create a keytab file for the that server and add the host principals to that keytab:

5. kadmin.local -q “ktadd -k /etc/krb5.keytab host/ds2”

(57)

proper permissions on the copied keytab:

chmod 600 /etc/krb5.keytab

7. On the second Kerberos server (DS2) enter the following command to see that the host principal was added to the keytab:

(58)

4.2 Generate Host Principals and Keytabs for a SSH

Server

In this exercise, you generate host principals and keytabs for a SSH.

Objectives:

Task I: Generate the Kerberos Host Principal Task II: Generate the Kerberos Keytabs Task III: Copy the Keytab to the SSH Server

Use the following values in this exercise:

SSH_HOSTNAME=____________________________________

Task I: Generate the Kerberos Host Principal

In order to support Kerberos authentication using services such as SSH, Kerberos host and service principals must be generated for and stored in a keytab file on each machine.

1. Log into the first Kerberos server ( DS1) as the root user and enter the following command to create a host principal for the SSH server:

kadmin.local -q “addprinc -randkey host/SSH_HOSTNAME”

Task II: Generate the Kerberos Keytabs

1. Enter the following commands to create a keytab file for the SSH server and add the host principals to that keytab:

kadmin.local -q “ktadd -k

/var/lib/serverkeys/SSH_HOSTNAME.keytab

host/SSH_HOSTNAME”

Task III: Copy the Keytab to the SSH Server

1. EEnter the following command to copy the new keytab to the SSH server (command is a single line with no line wraps):

scp /var/lib/serverkeys/SSH_HOSTNAME.keytab

SSH_HOSTNAME:/etc/krb5.keytab

2. Enter the following command to set the proper permissions on the copied keytab:

ssh SSH_HOSTNAME chmod 600 /etc/krb5.keytab

(59)

added to the keytab: